Bypassing the language select?

[Heartless]

Hello! Wondering if someone could help me with this. If it helps any, I'm messing around with "The Revenge of the Smurfs".

I'm trying to hack a game to bypass the language select screen, but I'm not sure how to do it. I'm fairly new to this type of hacking, but I can usually work out what to do after I'm pointed to the right direction. What I'd like to do exactly is either:

1. Skip the language select screen alone. I know the IRAM address, and I know that it changes to each intro screen until it reaches the language select (03). Not sure how to change the command to stop it from going there, and to skip it.

2. Skip all of the intro screens and go straight to the opening cutscene. I know the IRAM address, once set to 05, will do this. But I'm not sure how to force the game into setting this value upon opening.

[Psyklax]

Hello, I found this post a tad frustrating. You're asking for help, yet you say you've found two RAM addresses (by the way, I've never heard anyone say IRAM before, I had to do an online search for it ) but you won't say which RAM addresses they are. If you know that putting a certain value in a certain RAM address will do exactly what you want... then tell us the addresses! Then we can find the instructions that affect those addresses and give you what you need.

Also I had to do an online search for "Revenge of the Smurfs" because you didn't say it was for the GBA. This is useful information.

[FAST6191]

Not sure where you would have picked up the term IRAM for the GBA. http://problemkaputt.de/gbatek.htm#gbamemorymap tends not to use it (WRAM or just RAM, VRAM then being the thing people make a distinction with, or the CPU stuff should that be necessary and I guess SRAM for those games that use it) and https://www.cs.rit.edu/~tjh8300/CowBite/CowBiteSpec.htm#Memory%20Map mentions IWRAM I guess. Not sure about any of the various homebrew guides ( http://www.coranac.com/tonc/text/asm.htm appears not to, http://blog.quirk.es/2008/12/things-you-never-wanted-to-know-about.html and https://patater.com/gbaguy/gbaasm.htm tend not to either). Been a while since I read the official docs from ARM so maybe there? More links like that in http://www.romhacking.net/forum/index.php/topic,14708.0.html if you wanted them.
If you are going to be talking to assembly hackers for the GBA then maybe go with the stuff from the no$gba docs as that is what most will know and reference.

Anyway back on topic.
Skipping loading screens is usually a matter of finding where their final branch (for the given screen or the whole thing) sends you, as well as replicating any setup/copying done in the background. Setup/copying done in the background is usually pretty minimal on the GBA (everything tends to run from the fast memory mapped cart, or get small things copied during runtime to the memory and go from there so it is not like it is loading from a CD and using it as a mask), however here you will probably want to figure out what value/flag it sticks in memory for the language select (the alternative being force via pointers the language you want in any case or hope the default is what you want it to be and memory was cleared/initialised).
Bonus for you is if it is a select thing and you have to press a button then you can watch the results of a button press in your debugger rather than trying to find a timer in a slideshow or something for the normal take on dev/library/pub title cards. If you would rather not fiddle with button press logic then find where it stores the selection value (I don't know how it does it here but presumably left and right to select a flag or language name) and then set a breakpoint on whatever reads that. I should also note that if you are going that way then it is not unheard of for the value to be left in a register for the purposes of a select screen.

As for forcing things upon boot or near to that then that is not so bad on the GBA. Finding the executable part of the binary is quite easy and once you have that you can start messing around. In the last guide I linked above I have a visual version but the short one is the very first thing in the ROM is an instruction, this will usually skip to the end of the header. Here the game will do a bit of housekeeping/IO and then the first jump to something in the 08?????? region is where the binary you might want to edit is found. Sticking a single instruction should be doable, and you have a whole 32 megabytes of nice fast ROM space (-a tiny bit for the game) to stick stuff in if you have to branch somewhere.

[Heartless]

Sorry Psyklax! Completely forgot. The addresses are found at 030016c4 (screen select) and 03001690 (skip to intro with the value 04).

And thanks for the information, FAST6191! I will definitely check that guide out and see how it goes.

[Heartless]

Me again!

Just need a little more help apparently. I'm a bit lost on what to do next. I can use a breakpoint on cheat engine, but that's no good when the addresses don't match the gamepak, so I tried No$gba instead.

The blue highlighted address has the number that is the highlighted language, but I don't know how to proceed. The part highlighted in gray is what the program keeps returning to, and I don't understand how to find the right command/pointer because of this.

https://imgur.com/a/cQqynQV

(also, if doing this is something that is considered really simple, you can tell me - it might be that I'm just not as ready as I first thought to make edits like this)

[FAST6191]

I am lost as to what you have and are trying to do with that info.

"03001690 (skip to intro with the value 04)"

Does this mean the game will not show the language select if it sees the value 4 there? Presumably for people doing a soft reset or having finished the game and being dumped back at things after the credits or exiting via a menu.
If so then you.

Or is it just a kind of page count as it were (we have done 0, 1, 2 and 3, now we are doing 4 sort of thing).

Or is it the language value selected for the game use (note, might be different to the one the game uses to determine language to display).

VBlankIntrWait is a BIOS function that makes the GBA go into a low power mode; there is nothing much happening on this screen so presumably the devs, or maybe compiler, put it in low power mode because it is good form while it awaits your command.
https://www.coranac.com/tonc/text/swi.htm has a bit more on such things if you wanted it.

... this is getting nowhere fast. I will try another approach.

Game intros are usually just slideshows. They will display a picture, maybe some music, maybe a fade, in some cases maybe a little animation too. Some will be individual code sections for each slide, some will be more of a slideshow loop (at end of slide one add one to counter, display next slide, if counter = [end slideshow value] then goto game). Sometimes this intro can also be a distraction if it is copying data or doing some long winded setup, though as the GBA is not a CD console, uses directly mapped fast memory and nobody does procedural generation at this level on the GBA this is not so common here.

Language (and in some older games then difficulty too) tend to amount to a thing to select the language, and a thing to set the language value/flag/variable once you press A/start/select... on your chosen language. This final language value need not be the same thing as the thing as it uses to remember where the cursor is presently located on the screen.
Your job would be to find the final value it uses. Fortunately it should be simple enough to find as nothing else has happened in the game yet to make the memory change too much. You would then do a cheat search after the language select happened (as in you selected one and pressed A or start or whatever and the next screen is happening) to see where it stores the value in memory (select either a different value and do a difference scan or the same value and do a same scan, mixing it up a bit should narrow it down, aka a fairly basic inventory item style cheat finding session). Outside chance it could be a register it keeps the value in but let us not get too silly. You might even already have this location. If you have the cursor value then you could go a bit more advanced with the debugging as it will presumably have to reference that after you press a button to confirm the selection.

When you pressed the button to confirm selection it will then go to the intro. You want to find out what location in the code it jumps to for this. A quick aside at this point to go back to the nature of intros above then if it is individual code sections then each will jump to the next section after they are done and skipping would involve changing where these jumps land.
I imagine the language screen will end something like read the controller input (or its debounced* location) and see if A/start/whatever it needs is pressed. If the relevant button has been pressed then set the language value in memory (if it is not already set) and eventually (don't know if it kicks in a fade or something) jump to the intro section. If it means you have to press next instruction a lot after confirming selection to eventually see where it jumps to then so be it.

*switches are either on or off but owing to the nature of physical things springing any given millisecond might be different to the previous despite ostensibly being pressed or depressed. Most games will copy the state of the keys at vblank, which happens 60 times a second, and do all their operations off this copy rather than risk having something strange happen if it is pressed for one thing and not a millisecond later when the next instruction reads it but the code reasonably assuming the previous thing happened.

Your job then would be to in the last logo screen before language select set the language value to what you want and force it to jump to the intro (which you have the location of). You might even be able to go even further back and do it essentially from boot. Technically you could also do it in the language selection bit if you wanted (might be easier if it is just a slideshow before)
It could quite easily be a two instruction change, one to store the language value you need, another to set a jump to the start of the intro.
As in whatever memory store command (the GBA/old school ARM processors have instructions to handle memory rather than things like X86 which do it directly in instructions) will do the deed followed by whatever jump you need to get to the place
http://problemkaputt.de/gbatek.htm#armcpureference
That said do be aware of ARM and THUMB -- THUMB is basically a 16 bit instruction set which the GBA uses to increase the amount of code for a given amount of storage, it is not as wide ranging as ARM but can do most tasks well enough, especially intros to games. If it does switch (your debugger emulator will tell you what any given screen is operating in) then you will probably want to do the switch as well but that is just a single instruction.
If there is no space available (do bear in mind you have a whole screen you just bypassed and is not functionally irrelevant) then jump to a blank section of the ROM and do the deed there instead.

Finally if above I was right when I asked if that meant it skipped to the intro if it saw a value of 4 at 03001690 then even better. At some point in the logos or initial setup, basically somewhere before language select, simply throw a 4 into (a store memory command will do it) that location and the game will handle the rest.